As others have mentioned, this will do nothing but make people annoyed and switch to the hash_file() version of exactly the same thing or put up another hurdle to updgrading PHP.

The password hashing API now provides an obvious go-to for password hashing.

For other hashing usages there are, I think, basically two scenarios developers find themselves in:

1) I'm using an API or some other external service and that requires the use of md5 / sha1 - I don't have a choice

2) What do I use instead? Internet searches return "sha1 / md5 is fine for this purpose" or recommend algorithms that aren't natively supported in PHP.

The (hash library) documentation does nothing towards helping developers decide what algorithms (or even which hash library functions) they should use for what purposes (and there are a lot of acronyms that many developers are likely to have never encountered that are never explained - HMAC, PBKDF2, HKDF).

Yes, of course developers can use third party sources to supplement the information in the manual, but who has time to go seartching for that (esp. when most of the first page on Google probably tells you md5/sha1 is fine anyway)?

If you want to change the way developers think about hashing when writing PHP, I would start with the documentation rather than deprecating functions which are essentially aliases and are highly likely used all over the place in cases where they do exactly what people want.


On 10/02/2020 21:49, Tom Van Looy via internals wrote:

While in some environments the use of MD5 and SHA1 are still acceptable for
some use cases like file integrity verification etc. the use of these
algorithms should be discouraged and not be your choice when developing new

I suggest to deprecated the functions md5_file() and sha1_file(). This will
make people think about upgrading to a better alternative. If you still
need this functionality you can always switch to the hash_file() function.

Carrying around these two dedicated functions seems a bit too much for a
modern PHP. What do you think?

My feeling was that this is a no brainer. Should I open an RFC for this?

Kind regards,

Tom Van Looy

PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit:

Reply via email to